1. Field of the Invention
The present invention relates to a system and a method capable of emulating existing tape drive systems and to also remotely archive and retrieve data files via encrypted validation communication protocol.
2. Prior Art
It is necessary to store and backup data for many mainframe computer installations primarily for the purpose of safekeeping critical information to be used in the event of an unexpected loss of the primary copy. The backups are often remotely stored offsite of the mainframe installation.
At one time, ten inch, round reel tape drives were utilized on mainframe installations. The well known tape itself consists of a thin plastic base material with a coating of ferromagnetic ferric oxide powder. The round reel tapes were physically transported to an offsite location. Periodically, the tapes would be returned and then reused.
In the 1980's, cartridge tape units replaced the round reel tape drives. The tape cartridge system had fewer moving parts and was less prone to failure. Additionally, the tape cartridge system occupies a smaller floor footprint and consumed less power than the round reel drives. Additionally, the media itself was improved over time. Denser recording techniques allowed the cartridges to be smaller, yet hold the same amount of data. To improve cataloging and indexing functions, and facilitate data accessibility, typically one data set is placed on one tape volume. Some tape data sets span multiple volumes while others occupy less than a single volume. This can result in a significant waste of tape as most data sets occupy only a small portion of the media and the rest of the volume remains unused. Estimates are that industry norms are for tape cartridges to be less than 50% utilized. With a cartridge tape system, the same procedures for physically pulling certain cartridges and moving them to an offsite location would be performed.
More recently, virtual tape servers have been introduced which place a controller between a mainframe and the cartridge tape devices and attach a disk cache area from and to which data can be read and written. The controller handles the migration of data between the disk cache and the tape media in an optimal space and time fashion. The data is actually being read from and to disks. The disks are typically faster than tape devices.
Information regarding tape volumes is stored in a tape catalog, maintained by a tape management system running on the host mainframe. The tape management system associates a particular tape using its primary identifier, the tape's volume serial number, with the data sets stored onto it along with its retention, or expiration date. In order to manage the re-use of tapes, the retention date indicates when the data on a tape is no longer required and at such point in time, the tape may have its data overwritten or “scratched” out. Scratch tape is a common mainframe term for a tape available to be written upon, regardless of its prior contents if any.
A scratch list is a report that is generally prepared on a daily basis that includes all of the volume serial numbers whose retention date expired on that day. A human typically refers to this report while walking through a tape library, pulling those tapes on the report so that they may be placed into the scratch pool for reuse. The tape management system imposes a safe guard against non-expired tapes being mounted in place of a scratch tape by comparing the tape's volume serial number against its catalog expiration date. This volume serial number, in addition to being hand written onto the exterior of the tape, is on the beginning of the tape prior to the start of data set information in a section known as a “header”. When a scratch tape is mounted for writing, the tape management system inspects the tape catalog to verify that the tape is truly a scratch. If not, then it is rejected and a different scratch tape requested.
A vault list is a report prepared at some particular time interval that includes all of the volume serial numbers that are to be removed from the tape library and physically taken offsite. Mainframe data centers have the need to move or copy data to off site locations, primarily for the purpose of safe keeping critical information to be used in the event of an unexpected loss of the primary copy of that information. This typically involves physical transportation of the mainframe tapes, an error prone process in that sometimes all the required tapes are not sent or sometimes a tape sent in error that is later required to be retrieved in order to complete the processing of a mainframe job. Further, the data on these tapes is typically un-encrypted and therefore vulnerable to anyone being able to read it.
The tape management system is primarily used to cross-reference the location of a desired data set to a tape volume serial number. It is secondarily used to manage scratch lists and vault lists.
The present invention advances the art by allowing its practice to be supported via an encrypted communications protocol interfacing with, and relying upon, the teachings, practices and claims disclosed in U.S. Pat. No. 6,499,108 (hereinafter synonymously referred to as “Secure Agent™” or “SA”).
Secure Agent Service Overview
The following overview is provided to facilitate a comprehensive understanding of the teachings of the instant invention. Secure Agent™ utilizes a secure login sequence wherein a client connects to a Secure Agent server using a key known to both systems and a client connects and presents the server with user identification (as used herein the term “client” refers synonymously to a remote user or component establishing, and communicating with the instant invention through Secure Agent allocation and encryption processes as taught in the above noted applications). If recognized, the Secure Agent server initiates a protocol whereby the client's identification is verified and subsequent communication is conducted within a secured (encrypted) construct. For purposes of this overview, the term “server” should be considered a hardware configuration represented as a central processing unit wherein Secure Agent, a Host DLL and driver reside, and are executed. The term “DLL” as used herein refers to a Secure Agent host dynamically linked library (a.k.a. Host DLL). The term “DLL” or “dynamically linked library” is used in a manner consistent with that known to those skilled in the art. Specifically, the term “DLL” refers to a library of executable functions or data that can be used by a Windows™ or LINUX application. As such, the instant invention provides for one or more particular functions and program access to such functions by creating a static or dynamic link to the DLL of reference, with “static links” remaining constant during program execution and “dynamic links” created by the program as needed.
The Secure Agent server presents a variable unit of data, such as the time of day, to the client as a challenge. The client must then encrypt that data and supply it back to the server. If the server is able to decrypt the data using the stored client's key so that the result matches the original unencrypted challenge data, the user is considered authenticated and the connection continue. The key is never passed between the two systems and is therefore never at risk of exposure.
The initial variable unit of data seeds the transmission of subsequent data so that the traffic for each client server session is unique. Further, each byte of data transmitted is influenced by the values of previously sent data. Therefore, the connection is secure across any communication passageway including public networks such as, but not limited to, the Internet. The distance between the client and server is not of consequence but is typically a remote connection. For accountability purposes, the actions of a client maybe recorded (logged) to non-volatile storage at almost any detail level desired.
The access rights of each client (what the client is able to accomplish during a session) is governed by data stored on the Secure Agent server to which the client is associated. As an example, such rights might encompass the ability to administer and utilize the services of the server system, which would, in turn, include capabilities such as adding new clients or components, changing a user's rights, transferring new code to the server, using a feature (or service) of the server and more.
Consequently, Secure Agent allows for the transmission of new code to the server and for that code to be implemented upon demand by a client. Such dynamic, real-time implementation in turn, allows for the behavior of the server to be modified. It is to this behavior modification the instant invention addresses its teachings, and thereby advances the contemporary art.
As will be readily appreciated by those skilled in the art, though the instant invention utilizes encryption/decryption and code recognition technology associated with Secure Agent, an alternative technology may be employed in support of the instant invention without departing from the disclosure, teachings and claims presented herein.